1 / 34

Goals

Goals. Design the DHCP infrastructure Design the remote access infrastructure Design remote access policies. (Skill 1). Designing the DHCP Infrastructure. Dynamic Host Configuration Protocol (DHCP) A simple, but critical, service Functionality

channing-tyler
Télécharger la présentation

Goals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Goals • Design the DHCP infrastructure • Design the remote access infrastructure • Design remote access policies

  2. (Skill 1) Designing the DHCP Infrastructure • Dynamic Host Configuration Protocol (DHCP) • A simple, but critical, service • Functionality • Provides IP addressing information to client computers • Records the addresses leased • Can also be configured to notify DNS of address leases to update and maintain a Dynamic DNS (DDNS) zone

  3. (Skill 1) Designing the DHCP Infrastructure (4) • Number of subnets supported in the design • Helps determine how many scopes are required • Identifies how many addresses will be provided via DHCP • Indicates how many superscopes are required • Identifies the exclusions and reservations that will be required

  4. (Skill 1) Designing the DHCP Infrastructure (5) • RFC 1542 compliance in routers • To be RFC 1542-compliant, routers themselves must be capable of acting as Bootstrap Protocol (BOOTP) relay agents • Determines whether you require any DHCP relay agents to create a centralized DHCP design • Number of scopes required • Typically determined once you examine the subnet model

  5. (Skill 1) Designing the DHCP Infrastructure (6) • Number of superscopes required • A superscope is a way of combining more than one non-contiguous IP address range into a single scope • Superscopes are only required when you need multiple non-contiguous subnets to be leased to a single physical subnet

  6. (Skill 1) Designing the DHCP Infrastructure (7) • Reservations and exclusions • Reservations are typically used when you do not want to manually configure each client, but you want a specific group of clients to always have the same IP address • Exclusions are addresses that will never be handed out by the DHCP server

  7. (Skill 1) Designing the DHCP Infrastructure (8) • Presence of other DHCP servers/Active Directory integration • Active Directory server authorization • Windows Server 2003 and Windows 2000 Server require DCHP servers to be authorized in Active Directory before starting, which is a mechanism to disable rogue DHCP servers • Windows NT, Unix, and NetWare DHCP servers, as well as client systems with Internet Connection Sharing enabled, do not have this feature • It is important to know where the other devices are on the network that may potentially function as a DHCP and make sure that they are not configured to offer IP addresses

  8. (Skill 1) Designing the DHCP Infrastructure (9) • Redundancy requirements • Generally want at least two DHCP servers hosting each scope • Servers do not have to be solely dedicated to DHCP • DHCP can be installed on file servers, print servers, and even domain controllers

  9. (Skill 1) Designing the DHCP Infrastructure (10) • Two basic types of DHCP infrastructure designs • Centralized • Decentralized

  10. (Skill 1) Designing the DHCP Infrastructure (11) • Centralized design • Place two or more DHCP servers in a central hub location and enable BOOTP forwarding on routers for remote DHCP-enabled subnets • Typically easier to administer and less costly • May make meeting redundancy requirements difficult

  11. (Skill 1) Designing the DHCP Infrastructure (12) • Decentralized design • Place a DHCP server on each DHCP-enabled subnet, with a backup copy of each different scope on an adjacent server • Requires more administrative resources • Requires more server resources • Makes achieving redundancy much easier

  12. (Skill 1) Figure 5-4 Reservations and exclusions

  13. (Skill 1) Figure 5-5 Decentralized DHCP model

  14. (Skill 1) Figure 5-6 Centralized DHCP model

  15. (Skill 2) Designing the Remote Access Infrastructure • Remote access infrastructure design considerations • Type of remote access (dial-up or VPN) required • How many concurrent users must be supported • Availability requirements

  16. (Skill 2) Designing the Remote Access Infrastructure (2) • Type of remote access (dial-up or VPN) required • Determines the physical considerations of the design • Dial-up (POTS or ISDN) must ensure there are enough incoming lines • VPN • Ensure you have adequate Internet bandwidth • Ensure the encryption load can be supported

  17. (Skill 2) Designing the Remote Access Infrastructure (3) • Availability requirements • Determines the number of RAS servers required • Determines the configuration of RAS servers • If using VPNs, can use network load balancing (NLB) for maximal availability • If using dial-up, specialized hardware to distribute connections is typically required

  18. (Skill 2) Designing the Remote Access Infrastructure (4) • Hardware requirements • RAS is a fairly low-impact service • Network connectivity for RAS server is biggest consideration • When using VPNs, make sure server’s processing capability can support the encryption requirements of the connections

  19. (Skill 2) Designing the Remote Access Infrastructure (5) • Server placement • Place RAS server and RAS connectivity as near as possible to the network resources that remote users will most commonly access • Placement of servers vis-à-vis the firewall is very important

  20. (Skill 2) Designing the Remote Access Infrastructure (6) • Authentication, authorization, and accounting (AAA) • RADIUS is generally a better choice than Windows Accounting • Provides centralization of remote access policies and accounting information

  21. (Skill 2) Designing the Remote Access Infrastructure (7) • Auditing and logging options • Enable Internet Authentication Service (IAS) logging to keep a running list of connections made to RAS server • Enable logging of accounting and authentication requests • Audit successful and failed account logon events

  22. (Skill 2) Figure 5-10 Placement of a VPN server

  23. (Skill 3) Designing Remote Access Policies (2) • Remote access policy conditions • Used to match a specific policy to a given user • Available condition components • Authentication-Type: Matches users based on the type of authentication protocol they are using • Called-Station-ID: Matches users based on the phone number they dialed • Calling-Station-ID: Matches users based on the phone number from which they are calling

  24. (Skill 3) Designing Remote Access Policies (3) • Available condition components • Client-Friendly-Name: Defines the friendly name of the RADIUS client that is requesting use of the RADIUS server • Client-IP-Address: Matches the IP address of RADIUS client that is requesting access • Client-Vendor: Matches the vendor of the RADIUS client • Day-and-Time-Restrictions: Matches the user based on the day and time they attempt to connect

  25. (Skill 3) Designing Remote Access Policies (6) • Remote access policy permissions • Used to control access • Set to allow or deny access • Remote access policy profile • Used to restrict which remote access settings are supported • Settings are defined in the Edit Dial-in Profile dialog box

  26. (Skill 3) Designing Remote Access Policies (7) • Tabs in the Edit Dial-in Profile dialog box • Dial-in Constraints tab: Used to define any needed restrictions for the dial-in properties of the policy • IP tab: Used to define the IP properties associated with the connections to which this profile applies • Multilink tab: Used to define the setting applied to multilink connections for this policy

  27. (Skill 3) Designing Remote Access Policies (8) • Tabs in the Edit Dial-in Profile dialog box • Authentication tab: Used to define the authentication methods allowed by this policy • Encryption tab: Used to define MPPE encryption levels for the connection • Advanced tab: Used to define special settings to be returned from RADIUS servers to RADIUS clients

  28. (Skill 3) Figure 5-11 Components of a remote access policy

  29. (Skill 3) Figure 5-12 Dial-in Constraints tab

  30. (Skill 3) Figure 5-13 IP tab

  31. (Skill 3) Figure 5-14 Multilink tab

  32. (Skill 3) Figure 5-15 Authentication tab

  33. (Skill 3) Figure 5-16 Encryption tab

  34. (Skill 3) Figure 5-17 Advanced tab

More Related